Back a few months ago, we had to recreate our tree CA; we've been updating the certs on the servers ever since, as time allows. Most of the old certs are still valid (with the exception now of maybe 2 servers because the old CA wouldn't have expired until late 2014, and most of our servers with an old cert expire in 2014 as well).

On our OES2 boxes, I often run into a situation where the new cert doesn't seem to be picked up right by httpstkd.
I've followed TIDs 7007305 and 7000075, but that doesn't seem to help.

Step 1: In iManager, I run a force repair on all 4 default certificates for the server
Step 2: Validate the certs to make sure they're okay
Step 3: namconfig -k at the server console
Step 4: namconfig cache_refresh or rcnamcd restart (.. sometimes both)
Step 5; nldap -u ; nldap -l to reload nldap
Step 6: rcnovell-httpstkd stop; start to restart httpstkd.

Everything else LUM/NAM seems to be okay, I can check with "namconfig get" to make sure I have the right preferred server (I also check on /etc/sysconfig/novell/lum2sp2).
I can run "id admin" (or any of the other lum enabled admins) and that works okay. So, lum and nam are happy.

But the NRM certificate is broken. IE9 and Firefox both claim it to be from an untrusted authority (yet I have the new and old CA's cert imported under Trusted Cert Authorities).
It doesn't seem to refer back to the CA, there appears to be no "chain" to speak of, the only thing in the chain is a cert with it's IP for a name.

I even tried reloading both owcimond and httpstkd, but no luck. I didn't think I needed to reload tomcat.
What am I missing? Looking in iManager, the new certs are healthy. Do I need to manually import them somehow?